Guru's Verification engine ensures consistency, confidence, and trust in the knowledge your organization shares. Learn more.

Standard for Handling Institutional Information - 4. Handling Electronically Transmitted Information

Information should be transmitted in a manner acceptable for use with the highest Classification of information contained in the message or file. For example, if a transmission contains both PL-2 and PL-4 information, then the information should be transmitted according to the handling requirements for PL-4 information.

Electronic mail

The New School-branded version of Gmail (reachable through MyNewSchool or mail.newschool.edu) is the official university email system.

The New School Secure File Transfer Service (described below) is the official university system for sending Sensitive Institutional Information.

NEW SCHOOL GMAIL

Google provides this version of Gmail to The New School under a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. This license agreement also includes special protections for Education Records subject to the Family Educational Rights and Privacy Act (FERPA). Faculty and staff should use their official university email address for all university business-related email that does not involve sending or receiving Sensitive Institutional Information.

Prot. Level

Requirements

PL-1

No special requirements.

PL-2

No special requirements.

PL-3

Personal Data: Not permitted; use SecureSend instead.

PL-4

Not permitted; use SecureSend instead.

NEW SCHOOL SECURE FILE TRANSFER SERVICE (SECURESEND)

The New School secure file transfer service (reachable through securesend.newschool.edu) is the best way to send messages and files containing Sensitive Institutional Information to internal and/or external recipients. Faculty and staff should always use SecureSend to send information Classified at Protection Level PL-4, even when the recipient(s) are also within the university (newschool.edu) domain. In most cases, SecureSend should also be used to send information Classified at Protection Level PL-3, unless there is an operational reason not to do so.

Prot. Level

Requirements

PL-1

No special requirements.

PL-2

No special requirements.

PL-3

Recommended.

PL-4

Required.

OTHER EMAIL PROVIDERS

External email service providers, including Google’s consumer Gmail platform (@gmail.com), do not provide legal protection or accountability for New School Institutional Information, and they generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. New School Workforce Members may not automatically forward or redirect messages from an official university email address (containing @newschool.edu) to a non-university email address (containing anything other than @newschool.edu). Doing so may put that individual and The New School at risk of violating GDPR, FERPA, GLBA, HIPAA, or other laws and regulations. Workforce Members may manually forward individual messages (i.e., one at a time) only if they do not contain Sensitive Institutional Information and such forwarding is permitted by applicable laws and regulations.


File transfer (FTP) and web-based upload/download

The File Transfer Protocol (FTP) and its secure variants, the SSH File Transfer Protocol (SFTP) and FTP-over-SSL/TLS (FTPS), are often used to transfer large amounts of data from one system to another. Generally, FTP is more appropriate for unattended (computer-to-computer) transfers; transfers in which either the sender or the recipient is a person are usually better accomplished using the New School Secure File Transfer (above) service.

Some third parties with which The New School does business may require that files be exchanged with them by uploading or downloading the file through a web browser. Although this process is typically performed manually rather than by automated means, it is essentially equivalent to FTP and is therefore subject to the same handling requirements.

Prot. Level

Requirements

PL-1

No special requirements.

PL-2

No special requirements.

PL-3

FTP (or web) server access must be protected by username and password or other secure credential.

PL-4

FTP (or web) server access must be protected by username and password or other secure credential.


Web services (SOAP/REST)

Some cloud-based software-as-a-service providers offer web services based on either the Simple Object Access Protocol (SOAP) or representational state transfer (REST) to retrieve data from or submit data to their services, as well as to execute various application functions.

Prot. Level

Requirements

PL-1

No special requirements.

PL-2

No special requirements.

PL-3

Web services access must be protected by username and password or other secure credential.

PL-4

Web services access must be protected by username and password or other secure credential.


Collecting information via web forms

Many New School offices use web-based forms to collect information from current and prospective students, alumni, employees, and the public. Web-based forms platforms frequently used at The New School include:

  • Google Forms. See Storage on Cloud Storage - New School G Suite for details on the types of information that may be collected with Google Forms in the newschool.edu domain. Google Forms outside the newschool.edu domain (e.g., on the consumer G Suite platform) may only be used to collect information Classified at Protection Level PL-1.
  • Qualtrics. Forms created under the New School Qualtrics academic instance (reachable through MyNewSchool or newschool.qualtrics.com) may be used to collect information Classified at Protection Levels PL-1 and PL-2. They may also be used to collect information Classified at Protection Level PL-3 or PL-4, provided the requirements below are met. Forms created outside the New School Qualtrics instance (e.g., in a personal Qualtrics account) may only be used to collect information Classified at Protection Level PL-1.
  • JotForm. JotForm forms managed under the New School account may be used to collect information Classified at Protection Levels PL-1 and PL-2. They may also be used to collect information Classified at Protection Level PL-3 or PL-4, provided the requirements below are met. JotForm forms not managed under the New School account may only be used to collect information Classified at Protection Level PL-1. (Access to create forms under the New School account is managed by Marketing & Communications.)

Other web form platforms (SurveyMonkey, etc.) may only be used to collect information Classified at Protection Level PL-1.

Prot. Level

Requirements

PL-1

No special requirements.

PL-2

No special requirements.

PL-3

Information must be submitted over an encrypted (TLS) connection.

PL-4

Information must be submitted over an encrypted (TLS) connection.


Return to Standard for Handling Institutional Information.

You must have Author or Collection Owner permission to create Guru Cards. Contact your team's Guru admins to use this template.